[RISOLTO]VPN ASA<->1801

[Wizard]

Lato router mi sembra OK ma sul ASA, perchè hai configurato 2 vpn?!
Togli una vpn e metti

permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

dentro alla acl

access-list outside_1_cryptomap

[Wizard]

Dopo di questo verifica il routing x la rete dietro al ASA sul apparato connesso al 1800

[f0llia]

ecco la conf dell'asa sistemata:

Codice: Seleziona tutto

ASA Version 8.0(4) 
!
hostname ciscoasa
domain-name default.domain
enable password OfNv9dpMpO8hZAcR encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.240 
!
interface Vlan5
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.30.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain
object-group network DM_INLINE_NETWORK_1
 network-object 10.1.1.0 255.255.255.0
 network-object 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 1.1.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 2.2.2.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.30 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:db391627309dbf5ab0646565cfac6a0d
: end
asdm image disk0:/asdm-615.bin
no asdm history enable

ma purtroppo ancora non pingo la 10.1.1.0/24 ...

[Wizard]

OK lato ASA direi che ci siamo.
Le acl

access-list outside_1_cryptomap
access-list inside_nat0_outbound

hanno dei match?

La fase 1 e 2 va su?
Se la vpn è OK a sto punto è un problema di routing come ti dicevo prima

[f0llia]

si la VPN è ok, infatti pingo la rete 192.168.0.0/24 e non la 10.1.1.0/24..

idee per controllare qualcosa sul router ?

[Wizard]

C'è la rotta x la rete 192.168.1.0 255.255.255.0?

[f0llia]

il problema è la raggiungibilità della rete 10.1.1.0/24 dietro una macchina direttamente connessa al router non la 192.168.0.0/24 che è una vlan direttamente del router.

ecco l'ultima conf del 1800:

Codice: Seleziona tutto

Building configuration...

Current configuration : 8292 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$gY/u$.iCgNbiQdG8tV.4QDioUJ/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.169
ip dhcp excluded-address 192.168.0.181 192.168.0.254
!
ip dhcp pool dhcpmatrix
   import all
   network 192.168.0.0 255.255.255.0
   domain-name matrix
   dns-server 208.67.222.222 208.67.220.220 
   default-router 192.168.0.254 
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name matrix.locale
ip name-server 208.67.222.222
ip name-server 208.67.220.200
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-43613823
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-43613823
 revocation-check none
 rsakeypair TP-self-signed-43613823
!
!
crypto pki certificate chain TP-self-signed-43613823
 certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34333631 33383233 301E170D 30383037 30313130 33333136 
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53 
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D343336 31333832 
  3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C397 
  581E7DD8 1C45EF25 EA014380 70EA5CC9 B4C53FE8 CCF3A6C3 9A836FB6 B975BDB3 
  C0FA383D A42E23C4 5F096D8E 5D511F93 46B8B21F 1389A43E B3A74E5E 4B91A10D 
  15B75C24 FD0BB7E7 B5D8E90A A9817FEC 3C6A7BDF C0C8CB7B 49F798B4 8B44A030 
  BFE1417F 8BA93B28 0BF123A7 473B38BF 949B6606 BE073441 B09B376C 20670203 
  010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603 551D1104 
  19301782 15636973 636F3031 2E6D6174 7269782E 6C6F6361 6C65301F 0603551D 
  23041830 168014A9 60FE5274 8CF68FFF 90819FBE 94780F74 C0A37830 1D060355 
  1D0E0416 0414A960 FE52748C F68FFF90 819FBE94 780F74C0 A378300D 06092A86 
  4886F70D 01010405 00038181 00B92EAD 44A3D4C0 D1690C18 28603FAC F4FCDBCF 
  4D149127 D3CC15F4 0A1E5C6F 26AC38C3 F113E442 B2D9A439 A2A35E35 3B1E2964 
  B4F4BA4A 74C5B96E CEAB964B 6F010BF5 F71C969D 505222FC 10A7E825 388C812E 
  DCD5554C 02B9CF58 374FB517 DCCC8325 43979D2B 50F33EBC 8E3DCF8B E66B7287 
  6FB7C64E 7E3F96F2 A25664F8 3C
  quit
username admin privilege 15 secret 5 $1$FBXm$/S6P82KY2bNgt51TTs6f8.
username nicola privilege 15 secret 5 $1$EJgD$vhmxvZvpuG3xhZ/MdgfYV/
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXX address 1.1.1.1
!
crypto isakmp client configuration group Admin_VPN_Grp
 key 123456789
 pool SDM_POOL_1
 acl 102
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to1.1.1.1
 set peer 1.1.1.1
 set transform-set ESP-3DES-SHA3 
 match address 100
!
!
!
!
interface FastEthernet0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation hdlc
 ip route-cache flow
 shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no snmp trap link-status
 pvc 8/35 
  encapsulation aal5snap
  protocol ppp dialer
  dialer pool-member 1
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1400
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname [email protected]
 ppp chap password 7 0211034B03501B
 ppp pap sent-username [email protected] password 7 08364B5E014F11
 crypto map SDM_CMAP_1
 crypto ipsec df-bit clear
!
ip local pool SDM_POOL_1 192.168.0.235 192.168.0.245
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.1.0 255.255.255.0 192.168.1.150 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.195 81 interface Dialer0 81
ip nat inside source static tcp 192.168.0.40 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.0.254 443 interface Dialer0 443
ip nat inside source static tcp 192.168.0.40 33437 interface Dialer0 33437
ip nat inside source static udp 192.168.0.40 47156 interface Dialer0 47156
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark *** GESTIONE NAT0 E PAT *** 
access-list 101 remark SDM_ACL Category=16
access-list 101 deny   ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.235
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.236
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.237
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.238
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.239
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.240
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.241
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.242
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.243
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.244
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.245
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
route-map SDM_RMAP_2 permit 1
 match ip address 101
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

[Wizard]

La tua situazione è così?

rete_xxx - router - internet - asa - rete_inside_asa

Se la rete xxx non va mancherà la rotta x la rete_inside_asa sul router...

[f0llia]

no è cosi:

Codice: Seleziona tutto

192.168.1.0/24 - ASA --------- 1800 --- 192.168.0.0/24
                                            |
                                          fa0
                                            |
                                        UC520
                                            |
                                     10.1.1.0/24

-Da 192.168.1.0/24 pingo 192.168.0.0/24
-Da 192.168.0.0/24 pingo 192.168.1.0/24
-Da 192.168.1.0/24 NON PINGO 10.1.1.0/24 (ecco il probl.)

L'uc, lato WAN, ha ip 192.168.1.150


Grazie mille per l'aiuto!

[Wizard]

Le rotte per la rete 192.168.1.0/24 sul UC520 sono OK?

[f0llia]

ecco la conf dell'uc:

Codice: Seleziona tutto

!
! Last configuration change at 06:05:30 PST Fri Nov 21 2008 by cisco
!
version 12.4
parser config cache interface
parser config interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
service compress-config
!
hostname UC520
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ofK/$ssv3JPquJwcPWpqVAyOgH.
!
no aaa new-model
clock timezone PST -8
clock summer-time PST recurring
network-clock-participate wic 1
!
crypto pki trustpoint TP-self-signed-3873364153
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3873364153
 revocation-check none
 rsakeypair TP-self-signed-3873364153
!
!
crypto pki certificate chain TP-self-signed-3873364153
 certificate self-signed 01
  3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383733 33363431 3533301E 170D3038 31313231 31333536
  34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373333
  36343135 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D369 D36F41F9 69DBF3E2 C4C64031 F1C5287B D332C9FA CB458E45 0D91D18B
  53E60933 770C7123 2F782F40 D0F107FB 14360709 75CD742C 8CC7E5CA FB11EF49
  4F17DF92 3D453F28 B44FB2EF 2EAD1D06 17FF25FB 8E2D4CC9 011FF89D ED2F9FE3
  8AC041D7 47C46DEC E43AD0F9 9A79AFD3 AC0C4A03 69F5F4AF 2AC86B40 A29D8A8B
  30970203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603
  551D1104 09300782 05554335 3230301F 0603551D 23041830 168014D0 7CEF8C03
  3E2CC28A D0F25A3E 8D758436 9FAD5D30 1D060355 1D0E0416 0414D07C EF8C033E
  2CC28AD0 F25A3E8D 7584369F AD5D300D 06092A86 4886F70D 01010405 00038181
  004B0E15 98F54ECD 785B37BC 89BECDDD 01A55760 6BC72C86 955C4F53 5CE6601A
  968161BE A4DF63FE 0D290080 8E2D4CE3 EC8410B0 252F8B5B 0CCFB5DF 3C40EB26
  828D40EC 7E283A24 495D83CA 59403B15 CB3AD3D2 3398BD59 2D231A49 DBDFCB67
  E3CAF49A 676478F6 3DBEE5D3 55824F74 91D1C29E EAD06209 F2A34346 F86D2F19 C8
        quit
!
!
!
dot11 ssid uc520-data
   vlan 1
   authentication open
!
dot11 ssid uc520-voice
   vlan 100
   authentication open
!
ip cef
!
!
ip dhcp relay information trust-all
ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.10
ip dhcp excluded-address 192.168.10.1 192.168.10.10
!
ip dhcp pool phone
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   option 150 ip 10.1.1.1
!
ip dhcp pool data
   import all
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
   dns-server 63.203.35.55
!
!
ip name-server 208.67.222.222
ip name-server 208.67.220.220
!
!
stcapp ccm-group 1
stcapp
!
stcapp feature access-code
!
multilink bundle-name authenticated
isdn switch-type basic-net3
!
!
voice call send-alert
voice rtp send-recv
!
voice service voip
 sip
  no update-callerid
!
!
voice class codec 1
 codec preference 1 g711ulaw
 codec preference 2 g729r8
!
!
!
!
!
!
!
!
!
!
voice-card 0
 no dspfarm
!
!
!
username cisco privilege 15 secret 5 $1$heVp$llSYm6wAJQMwvmQsCTXeC/
archive
 log config
  logging enable
  logging size 600
  hidekeys
!
!
ip tftp source-interface Loopback0
bridge irb
!
!
!
interface Loopback0
 ip address 10.1.10.2 255.255.255.252
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 ip address 192.168.0.150 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Integrated-Service-Engine0/0
 ip unnumbered Loopback0
 ip nat inside
 ip virtual-reassembly
 service-module ip address 10.1.10.1 255.255.255.252
 service-module ip default-gateway 10.1.10.2
!
interface FastEthernet0/1/0
 switchport voice vlan 100
 macro description cisco-phone
!
interface FastEthernet0/1/1
 switchport voice vlan 100
 macro description cisco-phone
!
interface FastEthernet0/1/2
 switchport voice vlan 100
 macro description cisco-phone
!
interface FastEthernet0/1/3
 switchport voice vlan 100
 macro description cisco-phone
!
interface FastEthernet0/1/4
 switchport voice vlan 100
 macro description cisco-phone
!
interface FastEthernet0/1/5
 switchport voice vlan 100
 macro description cisco-phone
!
interface FastEthernet0/1/6
 switchport voice vlan 100
 macro description cisco-phone
!
interface FastEthernet0/1/7
 switchport voice vlan 100
 macro description cisco-phone
!
interface FastEthernet0/1/8
 switchport mode trunk
 macro description cisco-switch
!
interface BRI0/1/0
 no ip address
 isdn switch-type basic-net3
 isdn point-to-point-setup
 isdn incoming-voice voice
 isdn sending-complete
!
interface BRI0/1/1
 no ip address
 isdn switch-type basic-net3
 isdn point-to-point-setup
 isdn incoming-voice voice
 isdn sending-complete
!
interface Dot11Radio0/5/0
 no ip address
 !
 ssid uc520-data
 !
 ssid uc520-voice
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0/5/0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0/5/0.100
 encapsulation dot1Q 100
 bridge-group 100
 bridge-group 100 subscriber-loop-control
 bridge-group 100 spanning-disabled
 bridge-group 100 block-unknown-source
 no bridge-group 100 source-learning
 no bridge-group 100 unicast-flooding
!
interface Vlan1
 no ip address
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan2
 no ip address
 bridge-group 2
!
interface Vlan100
 no ip address
 bridge-group 100
 bridge-group 100 spanning-disabled
!
interface BVI1
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface BVI2
 no ip address
!
interface BVI100
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 192.168.0.254
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 192.168.10.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
snmp-server community public RO
!
!
!
!
tftp-server apps11.8-2-2TR2.sbn
tftp-server apps31.8-2-2TR2.sbn
tftp-server apps41.8-2-2TR2.sbn
tftp-server apps70.8-2-2TR2.sbn
tftp-server cmterm_7936.3-3-13-0.bin
tftp-server cnu11.8-2-2TR2.sbn
tftp-server cnu31.8-2-2TR2.sbn
tftp-server cnu41.8-2-2TR2.sbn
tftp-server cnu70.8-2-2TR2.sbn
tftp-server CP7902080002SCCP060817A.sbin
tftp-server cvm11sccp.8-2-2TR2.sbn
tftp-server cvm31sccp.8-2-2TR2.sbn
tftp-server cvm41sccp.8-2-2TR2.sbn
tftp-server cvm70sccp.8-2-2TR2.sbn
tftp-server dsp11.8-2-2TR2.sbn
tftp-server dsp31.8-2-2TR2.sbn
tftp-server dsp41.8-2-2TR2.sbn
tftp-server dsp70.8-2-2TR2.sbn
tftp-server jar11sccp.8-2-2TR2.sbn
tftp-server jar31sccp.8-2-2TR2.sbn
tftp-server jar41sccp.8-2-2TR2.sbn
tftp-server jar70sccp.8-2-2TR2.sbn
tftp-server P00308000500.bin
tftp-server P00308000500.loads
tftp-server P00308000500.sb2
tftp-server P00308000500.sbn
tftp-server S00105000200.sbn
tftp-server SCCP11.8-2-2SR2S.loads
tftp-server SCCP31.8-2-2SR2S.loads
tftp-server SCCP41.8-2-2SR2S.loads
tftp-server SCCP70.8-2-2SR2S.loads
tftp-server term06.default.loads
tftp-server term11.default.loads
tftp-server term31.default.loads
tftp-server term41.default.loads
tftp-server term61.default.loads
tftp-server term70.default.loads
tftp-server term71.default.loads
tftp-server flash:SCCP42.8-3-2S.loads
tftp-server flash:SCCP45.8-3-2S.loads
tftp-server flash:SCCP75.8-3-2S.loads
tftp-server flash:apps42.8-3-1-22.sbn
tftp-server flash:apps45.8-3-1-22.sbn
tftp-server flash:apps75.8-3-1-22.sbn
tftp-server flash:cnu42.8-3-1-22.sbn
tftp-server flash:cnu45.8-3-1-22.sbn
tftp-server flash:cnu75.8-3-1-22.sbn
tftp-server flash:cvm42sccp.8-3-1-22.sbn
tftp-server flash:cvm45sccp.8-3-1-22.sbn
tftp-server flash:cvm75sccp.8-3-1-22.sbn
tftp-server flash:dsp42.8-3-1-22.sbn
tftp-server flash:dsp45.8-3-1-22.sbn
tftp-server flash:dsp75.8-3-1-22.sbn
tftp-server flash:jar42sccp.8-3-1-22.sbn
tftp-server flash:jar45sccp.8-3-1-22.sbn
tftp-server flash:jar75sccp.8-3-1-22.sbn
tftp-server flash:term42.default.loads
tftp-server flash:term45.default.loads
tftp-server flash:term62.default.loads
tftp-server flash:term65.default.loads
tftp-server flash:term75.default.loads
tftp-server flash:APPS-1.0.4.SBN
tftp-server flash:CP7921G-1.0.4.LOADS
tftp-server flash:GUI-1.0.4.SBN
tftp-server flash:SYS-1.0.4.SBN
tftp-server flash:TNUX-1.0.4.SBN
tftp-server flash:TNUXR-1.0.4.SBN
tftp-server flash:WLAN-1.0.4.SBN
tftp-server flash:cp524g-08-01-07.bin
tftp-server DistinctiveRingList.xml
tftp-server RingList.xml
tftp-server flash:AreYouThereF.raw
tftp-server flash:Bass.raw
tftp-server flash:CallBack.raw
tftp-server flash:Chime.raw
tftp-server flash:Classic1.raw
tftp-server flash:Classic2.raw
tftp-server flash:ClockShop.raw
tftp-server flash:Drums1.raw
tftp-server flash:Drums2.raw
tftp-server flash:FilmScore.raw
tftp-server flash:HarpSynth.raw
tftp-server flash:Jamaica.raw
tftp-server flash:KotoEffect.raw
tftp-server flash:MusicBox.raw
tftp-server flash:Piano1.raw
tftp-server flash:Piano2.raw
tftp-server flash:Pop.raw
tftp-server flash:Pulse1.raw
tftp-server flash:Ring1.raw
tftp-server flash:Ring2.raw
tftp-server flash:Ring3.raw
tftp-server flash:Ring4.raw
tftp-server flash:Ring5.raw
tftp-server flash:Ring6.raw
tftp-server flash:Ring7.raw
tftp-server flash:Sax1.raw
tftp-server flash:Sax2.raw
tftp-server flash:Vibe.raw
tftp-server flash:Analog1.raw
tftp-server flash:Analog2.raw
tftp-server flash:AreYouThere.raw
tftp-server flash:CampusNight.png
tftp-server flash:CiscoFountain.png
tftp-server flash:Fountain.png
tftp-server flash:MorroRock.png
tftp-server flash:NantucketFlowers.png
tftp-server flash:TN-CampusNight.png
tftp-server flash:TN-CiscoFountain.png
tftp-server flash:TN-Fountain.png
tftp-server flash:TN-MorroRock.png
tftp-server flash:TN-NantucketFlowers.png
tftp-server flash:Desktops/320x212x16/List.xml
tftp-server flash:Desktops/320x212x12/List.xml
tftp-server flash:Desktops/320x216x16/List.xml
!
control-plane
!
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 100 route ip
!
!
voice-port 0/0/0
 timeouts ringing infinity
!
voice-port 0/0/1
 timeouts ringing infinity
!
voice-port 0/0/2
 timeouts ringing infinity
!
voice-port 0/0/3
 timeouts ringing infinity
!
voice-port 0/1/0
 compand-type a-law
 bearer-cap Speech
!
voice-port 0/1/1
 compand-type a-law
 bearer-cap Speech
!
voice-port 0/2/0
!
voice-port 0/2/1
!
voice-port 0/4/0
 auto-cut-through
 signal immediate
 input gain auto-control -15
 description Music On Hold Port
!
sccp local Loopback0
sccp ccm 10.1.1.1 identifier 1
sccp
!
sccp ccm group 1
 associate ccm 1 priority 1
!
!
dial-peer voice 1 pots
 service stcapp
 port 0/0/0
!
dial-peer voice 2 pots
 service stcapp
 port 0/0/1
!
dial-peer voice 3 pots
 service stcapp
 port 0/0/2
!
dial-peer voice 4 pots
 service stcapp
 port 0/0/3
!
dial-peer voice 5 pots
 description ** MOH Port **
 destination-pattern ABC
 port 0/4/0
 no sip-register
!
dial-peer voice 50 pots
 destination-pattern 9T
 direct-inward-dial
 port 0/1/0
 no sip-register
!
dial-peer voice 51 pots
 destination-pattern 9T
 direct-inward-dial
 port 0/1/1
 no sip-register
!
!
no dial-peer outbound status-check pots
!
!
telephony-service
 video
 load 7960-7940 P00308000500
 load 7914 S00105000200
 load 7902 CP7902080002SCCP060817A
 load 7921 CP7921G-1.0.4
 load 7931 SCCP31.8-2-2SR2S
 load 7941GE SCCP41.8-2-2SR2S
 load 7941 SCCP41.8-2-2SR2S
 load 7961GE SCCP41.8-2-2SR2S
 load 7961 SCCP41.8-2-2SR2S
 load 7975 SCCP75.8-3-2S
 load 7965 SCCP45.8-3-2S
 load 7945 SCCP45.8-3-2S
 load 7942 SCCP42.8-3-2S
 load 7962 SCCP42.8-3-2S
 load 7971 SCCP70.8-2-2SR2S
 load 7970 SCCP70.8-2-2SR2S
 load 7936 cmterm_7936.3-3-13-0
 load 7906 SCCP11.8-2-2SR2S
 load 7911 SCCP11.8-2-2SR2S
 max-ephones 14
 max-dn 56
 ip source-address 10.1.1.1 port 2000
 auto assign 10 to 19
 auto assign 5 to 8 type anl
 calling-number initiator
 service phone videoCapability 1
 service dnis overlay
 service dnis dir-lookup
 timeouts interdigit 5
 system message UC520
 time-zone 5
 max-conferences 8 gain -6
 call-forward pattern .T
 call-forward system redirecting-expanded
 moh music-on-hold.au
 multicast moh 239.10.16.16 port 2000
 web admin system name cisco secret 5 $1$8ORk$B8AsrntuccIi5uSsZgoJy.
 dn-webedit
 time-webedit
 transfer-system full-consult dss
 transfer-pattern 9.T
 transfer-pattern .T
 secondary-dialtone 9
 create cnf-files version-stamp 7960 Nov 11 2008 11:51:57
!
!
ephone-template  15
 button-layout 7931 2
!
!
ephone-dn  5  dual-line
 number 301 no-reg primary
 label 301
 description PhoneA Analog
 name PhoneA Analog
!
!
ephone-dn  6  dual-line
 number 302 no-reg primary
 label 302
 description PhoneB Analog
 name PhoneB Analog
!
!
ephone-dn  7  dual-line
 number 303 no-reg primary
 label 303
 description PhoneC Analog
 name PhoneC Analog
!
!
ephone-dn  8  dual-line
 number 304 no-reg primary
 label 304
 description PhoneD Analog
 name PhoneD Analog
!
!
ephone-dn  9
 number BCD no-reg primary
 description MoH
 moh ip 239.10.16.8 port 2139 out-call ABC
!
!
ephone-dn  10  dual-line
 number 201 no-reg primary
 label 201
 description 201
 name 201
!
!
ephone-dn  11  dual-line
 number 202 no-reg primary
 label 202
 description 202
 name 202
!
!
ephone-dn  12  dual-line
 number 203 no-reg primary
 label 203
 description 203
 name 203
!
!
ephone-dn  13  dual-line
 number 204 no-reg primary
 label 204
 description 204
 name 204
!
!
ephone-dn  14  dual-line
 number 205 no-reg primary
 label 205
 description 205
 name 205
!
!
ephone-dn  15  dual-line
 number 206 no-reg primary
 label 206
 description 206
 name 206
!
!
ephone-dn  16  dual-line
 number 207 no-reg primary
 label 207
 description 207
 name 207
!
!
ephone-dn  17  dual-line
 number 208 no-reg primary
 label 208
 description 208
 name 208
!
!
ephone-dn  18  dual-line
 number 209 no-reg primary
 label 209
 description 209
 name 209
!
!
ephone-dn  19  dual-line
 number 210 no-reg primary
 label 210
 description 210
 name 210
!
!
ephone  1
 device-security-mode none
 mac-address DA2F.EC26.0000
 type anl
 button  1:5
!
!
!
ephone  2
 device-security-mode none
 mac-address DA2F.EC26.0001
 type anl
 button  1:6
!
!
!
ephone  3
 device-security-mode none
 mac-address DA2F.EC26.0002
 type anl
 button  1:7
!
!
!
ephone  4
 device-security-mode none
 mac-address DA2F.EC26.0003
 type anl
 button  1:8
!
!
!
ephone  5
 device-security-mode none
 mac-address 001E.F729.A215
 type 7970
 button  1:10
!
!
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 login local
 transport input telnet ssh
 transport output telnet ssh
line vty 5 100
 login local
 transport input telnet ssh
 transport output telnet ssh
!
ntp master

!
webvpn cef
end

[Wizard]

Le rotte sono queste:

ip route 0.0.0.0 0.0.0.0 192.168.0.254
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0

Chi è 192.168.0.254, il firewall?

[f0llia]

no, il 1800

[Wizard]

Si scusa volevo dire il 1800...
Allora sembra nn essere neanche un problema di routing...

Fai una cosa, crea 2 acl sul 1800 x vedere se il traffico entra ed esce

[f0llia]

in che senso ? che traffico ?